Friday, 26 April 2013

Why you should never use a CAPTCHA [by Josh Fraser]

I hate CAPTCHAs (you know, those squiggly bits of impossible to read
text you have to fill out before you can do anything on some websites). I
think all of us can relate to the experience of trying to register for a
service or comment on a blog only to be stopped cold by an impossible
CAPTCHA. Maybe you got it on the second or third try, but chances are
you’ve also had occasions when you’ve bailed and decided it just wasn’t
worth the effort. Today I want to convince you to never add a CAPTCHA to your site.

Let’s start by looking at why CAPTCHAs were invented. The acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
Quite a mouthful, eh? The idea is to have something that a computer can
create but only a human can read. Whether or not humans can read
CAPTCHAs is debatable, but that’s the idea anyway.

Lots of sites use
these things to attempt to stop automated requests. For example, you’ve
got to fill out a CAPTCHA to get a Gmail account, send a message with a link on Facebook
or even just email directions on Mapquest. CAPTCHAs are most often used
to stop abuse around systems where there is a high incentive for
automated systems to be used, like spamming everyone on Facebook. There
are also a lot of people using CAPTCHAs where an alternative solution
would suffice.

My biggest beef with CAPTCHAs is that they are so
freaking annoying for users. They add an incredible amount of friction
to the process — friction that you probably can’t afford. Sure, some
CAPTCHA’s are better than others, but none are great. I understand you
want to protect your site from spam and abuse, but are you ready to lose
potential users over it? The trade off just isn’t worth it, especially
if you are a startup!

One of the things I’ve noticed is that
many people use CAPTCHAs when a simple non-intrusive spam-stopper would
suffice. For example, say you have a blog and notice you are starting to
get a large amount of spam comments. You decide to add a CAPTCHA to fix
the problem. The thing is, you’re not big enough to be a victim of a
targeted attack, you’re just getting generic spam bots. You don’t need a
CAPTCHA.

It’s far easier to stop generic spam bots than a
targeted attack. There are a lot of different techniques you can employ,
but a simple option is to add an extra field with a tempting name like
“email” to your form that is then hidden using CSS. Humans can’t see the
field and as a result will never fill it out. Any request that comes in
with the field completed can easily be eliminated as spam. The beauty
of this is you have a pretty effective spam-stopper without ruining the
user experience or adding any friction to the process. A simple
technique like this is probably enough to stop the majority of spam
bots.

But what if you really are big enough to be at the
receiving end of a targeted attack? What if you’re Facebook or Google?
They might not be fun, but aren’t CAPTCHAs a necessary evil? I don’t
think so. CATCHAs still aren’t going to protect you. The bad news is
that most CAPTCHA systems have already been cracked
using OCR software making it trivial for your system to be compromised.
For the rest, hackers have been known to set up porn sites that require
you to enter a CAPTCHA in exchange for access to the adult content.
What are you going to do to prevent that? Not to mention, there’s a booming business in India right now for breaking CAPTCHAs. The going rate
is $2 per 1,000. Can you compete with that? If someone wants into your
site, I’m sorry, but your annoying little CAPTCHA isn’t going to stop
them.

Some people have taken more creative approaches to the CAPTCHA problem. Joe Stump tweeted the other day about one solution
he discovered. You’ll see a lot of these around the web, often added by
people who hate CAPTCHAs but haven’t stopped to think through the
details. I remember seeing one approach that Hot or Not used that asked
users to pick the 3 most attractive people out of 9 pictures. While
these sort of solutions are more fun for users than a traditional
CATPCHA, they are usually still pretty worthless at providing any real
security.

For example, with Hot or Not, the odds of a computer correctly
guessing the 3 attractive people are 1 in 84. While those aren’t great
odds for a human, they’re not bad for a computer — especially if you
have a botnet at your disposal! Other approaches like the ones that ask
you to do simple math or ask simple questions like “what is known as
man’s best friend?” are vulnerable too. In most cases, all you’d need to
do to crack the CAPTCHA is throw the question at Google and analyze the
responses that come back. These systems are often also vulnerable by
having a limited list of questions to ask so it doesn’t take long for a
hacker to build up a dictionary of correct answers to feed to the bot.

reCAPTCHA from Google
is another anti-bot alternative. They proudly talk about all the good
they are doing by using the technology to help digitize books. But even reCAPTCHA can be broken with 23% accuracy and it’s just as frustrating for users as the other alternatives.

So
where does that leave us? CAPTCHAs are annoying, you probably don’t
need one and even if you did it could still be broken pretty easily.

The
most balanced approach is to add some basic security to stop generic
bots and then stop worrying and get rid of the CATPCHA altogether!
Instead, watch out for suspicious IP’s and monitor for nefarious
behavior (like spam links being sent to multiple users, large # of
requests from one IP, etc).

We live in a world where spammers are
a real problem and must be addressed, but CAPTCHAs are not the answer.
You simply can not afford the friction. By using a CAPTCHA you are
making the internet a whole lot less fun for all of us.